Controlling access to an API with API Gateway
resource policies

Amazon API Gateway resource policies are JSON policy documents that you attach
to an API to control whether a specified principal (typically an IAM user or role)
can
invoke the API. You can use API Gateway resource policies to allow your API to be
securely invoked
by:

You can attach a resource policy to an API by using the AWS Management Console, AWS
CLI, or AWS
SDKs.

API Gateway resource policies are different from IAM policies. IAM policies are attached
to
IAM entities (users, groups, or roles) and define what actions those entities are
capable
of doing on which resources. API Gateway resource policies are attached to resources.
For a more
detailed discussion of the differences between identity-based (IAM) policies and resource
policies, see Identity-Based Policies and Resource-Based Policies.